Greeings all, it seems that some completely simple things to do are not that simple. I am attempting to get a PPTP VPN connection from a 2003 server outside my OpenBSD firewall.

The connection to the 2003 server works great and is setup and running fine, my only problem is when i try to access it through my OpenBSD firewall it stalls on "Verifying username and password ......"

I followed the instructions below;

Connecting to a Windows PPTP based VPN through a OpenBSD / PF firewall
To be able to connect to a Windows based PPTP VPN through a OpenBSD firewall you’ll need to make a couple of changes to allow GRE traffic through.
first add the following to /etc/sysctl.conf:
net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1

then add the following to the filter section in your /etc/pf.conf:
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state

To make the changes effective without having to reboot issue the following as root:

I also added to my firewall rules;
rdr pass on $EXT proto {tcp,udp} to any port {47,1723} -> in.ternal.ip.addr

Lo and behold it does not work, all i get is the "Verifying username and ...." and there is correct everything in place, it is working fine behind my 2003 box, just won't get past my OpenBSD firewall

I have tried this same setup and more in VM's (with/out patches) and on my production firewall, I have also tried tcp and udp ... the rdr to port 1723 helped, i have also tried udp ports 50? 51? and 500? as per some reading.

ADDED; one of the erros logs from the 2003 server ...

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 9/10/2009
Time: 05:01:00
User: N/A
Computer: pcname
Description:
A connection between the VPN server and the VPN client 1.1.1.5 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Somehow I am still blocking GRE packets/traffic with the above configurations, Suggestions? thx.

In comment to above, i was originally trying to pipe all this junk over an SSH tunnel directly into my network (weaksauce 56bit on MS VPN) and got stuck at the passing through the OpenBSD firewall, coincidentally i am experiencing the exact same problem with piping it over SSH (via Putty tunnel).

I anybody has something similar running I would appreciate some comments, and access to a VM may be possible to hack upon, thx.

I have also tried enableing the ah and esp options in sysctl with no luck, also interesting is that from behind the OpenBSD firewall as a XPPro client i can connect past it to the 2003 server (inside same network, from a virtual subnet) and i see GRE packets all over (so OpenBSD is sending GRE out fine? by keeping state?)

"Port 47" is not the same as "Protocol 47". See /etc/protocols for a list of all of the strange, weird, odd, and haven't-been-used-in-decades-by-anyone IP protocols. You are already familiar with TCP (protocol 6) and UDP (protocol 17), which are the only two protocols that use ports.

Your need a pass rule for "proto gre" rather than a redirection rule for port 47.

However, AFAIK since no port is involved no redirection rule will apply. I suppose you might route the packets, instead, with route-to.